Blog

Tackling cyber criminals from the boardroom

The CEO Forum of the 5th Annual Cyber Security Summit, Sri Lanka’s premier annual cyber security awareness initiative, was recently concluded at Cinnamon Grand Colombo. Jake Davis and Darren Martyn, hacktivists turned ethical hackers, gave insights about the mindset of hackers and how organisations should mitigate different cyberattacks to several top corporate leaders from different business sectors of the country.

Dissecting the mind of a hacker

Jake and Darren stole the limelight of the forum with some great insights about hacking, talked about the importance for a CEO to understand how a hacker’s mentality work and even did a live demo of a hacking by entering into a public Wi-Fi and sending a CISCO employee a text message, pretending that it was sent from CISCO Marketing Department.

Starting the forum, Jake said: “After participating at the forum, we were able to learn what worries a Sri Lankan CEO in terms of cyber security. So many people would come and ask us how we should protect their data and other industry secrets from potential cyber criminals. The tech industry and the cyber security space are so vast that there is no specific practice that one should follow to mitigate various threats; it differs from one person to another. We would always like to say that you as a CEO might be the main target of hackers for whatever motive they could get into your organisation. You yourself might be secured, well aware of the situation and participated in cyber security training. However, hackers tend to go after the lowest hanging fruit of the company.”

On the day of the main forum, the two ex-founder members of the internationally notorious hacktivist groups Anonymous and LulzSec have found over 43,000 (43,846) individual data leaks belonging to .lk domains in just 32 out of a total 2,500 breaches. They had found passwords, emails and other personal information among the more than 43,000 leaks belonging to important individuals. Darren however pointed out that the number has changed drastically over 24 hours.

“This was yesterday; today the number is much bigger. We searched 39 breaches out of 2500 today, and the number has gone up to 60,856 records, which is okay though. We found less data in Sri Lanka than JP Morgan. Now you know that your country is less screwed than JP Morgan,” Darren laughed.

Out of 63 people who have attended the forum, Darren said that 35 personalities have been personally affected by cyber criminals. 83% of the companies participated, according to Darren, have been impacted and many of them have been impacted by third part data loss.

“This kind of stuff affects everyone. These are data leaks that have not been a result of organisations putting up fragile protection mechanisms but through third party platform that people trust so much like LinkedIn and Dropbox. This is something that you have to absolutely focus at the board level because it is directly going to impact you as the CEO. It is a risk you have to deal with.”

Nearly a third of the CEOs surveyed by KPMG International in 2016 saw cyber security as the issue having the biggest impact on their companies today. One out of five indicated that information security is the risk of greatest concern, while operational and compliance risks were listed as the top risks. But cyber risk, if uncontrolled, becomes an operational and regulatory issue very fast. 49% of the CEOs were fully prepared for a cyber-event but only half of CEOs had appointed a cybersecurity executive or team, and less than half had changed internal processes, such as data-sharing.

Should you trust an ethical hacker?

Jake and Darren suggested few mechanisms that could protect companies from cyber threats such as enhancement management – enforcing two-factor authentication, which will mitigate a number of risks. According to them, enforcing right methods will always help companies to limit the number of damages.

“Security and resilience can affect nearly every part of an organisation. Strategies to protect IT security and business resiliency should align with an organisation’s broader goals, from protecting intellectual property to maximising productivity to finding new ways to delight customers,” Jake alluded.

Organisations should determine how resilient they are in advance of a breach so they aren’t left flat-footed after the fact, said Darren at the CEO Forum. “They should begin by asking how they can prevent an attack, how they can withstand it, and how to respond. Part of this process includes understanding what your specific risks and threats are and from there, making a business decision on what actions your organisation is comfortable taking,” he explained.

Darren now serves as a Security Researcher at the UK-based Xiphos Research Lab, after transforming himself to an ethical hacker from a hacktivist. When a participant asked whether a company could trust and employ an ethical hacker like him, he said: “It is tough and it takes a long time to settle after going through all hardships –spending time at a young offenders’ institution, banned from entering specific places, banned from internet etc. We have been banned from entering some buildings. It was a challenge and for the last five years, we have been building a level of trust among people. I guess you have to work on an individual basis to garner that trust. It has been very hard but we have been able to do that. ”

“But I believe it is always useful to have someone who understands both sides of the situation. The tools will help, but the skill is in identifying the hole and then knowing what you can do is also important. To replicate a hostile hack, you need the mindset to put together the right tools. A number of hacking tools available in the marketplace will only replicate certain easier attacks. That is where you require the help of an ethical hacker,” Jake said answering the same question.

Security – a business differentiator

Answering the question of whether focusing on cyber security stifles innovation and business growth, CISCO India and SAARC Security Business Director Vishak Raman said organisations should not make the entire effort a headache.

“Customers are serious about cyber security. One CEO of a Sri Lankan bank asked we could make cyber security a differentiator. It is a very candid conversation. CEOs should not think that security is a bane and an everlasting capital expenditure. For banking institutions, security can be a differentiator where the bank could do something special for their high net worth individuals and make sure that their banking transactions are well secured. Organisations are slowly moving away from that mindset of considering security as a bane. Many organisations are involved in digitising their business processes; security is very important to make those operations smooth,” said Vishak.

Balancing the equation

Speaking about the balance between cyber threats and convenient payment modes, India and South Asia Visa Consolidated Support Services (India) Chief Risk Officer Shivkumar Sriraman said: “We see from one end that cyber community getting more and more active and from the other end, more and more technology companies are coming up with new business models – especially in the area of payments. There is a shift towards moving into seamless payments and a shift towards more convenient payments. Having said that, how do you balance this equation? Stakeholders such as banks have any control over how the consumer is managing their mobile. We need to closely look at it and think of a strategy on how to balance this equation of convenience versus security.”

He spoke about few strategies that will help companies to address this issue. “One is on a long term and also on a medium and short term,” Shivakumar said. “On a long term, we need to look at devaluing the data. As we know, many of these cyber criminals are behind these data. Data has become the new currency and they attack data for monetisation purposes. How do we devalue this data in the entire chain of payment eco system? There are multiple players involved in this today, especially with mobile coming into play. How do we make this data worthless to these criminals? That is a strategy we have to think on a long term. There are many solutions available such as tokenisation, chip on card, etc.”

“Having said that, it is a complex eco system and you cannot make a change overnight. We need to still protect the data. There are security standards available in the payment space and people need to adopt them. It is also important to look at the aspect of empowering consumers. They should be aware of what is happing in the payment space. By giving control of the usage of the consumers, we can make them aware of different trends emerging, breaching incidents, how they need to secure their data from cyber threats.”

The amount of data being generated currently is humongous. There are a number of cyber criminals who keep a close watch on this data to monetise but same amount of data could also be a solution. Shivakumar mentioned that organisations should look at doing analytics with this data set that would help them to create a profile of a consumer and differentiate a genuine usage and a fraud attempt.

“It is a journey we need to start. If we follow these strategies correctly within the next three to four years, I believe we could do a great change in this business space,” said Shivakumar.

Local companies need

to be proactive

Addressing the gathering as one of the panellists, CICRA Holdings Group Director/CEO Boshan Dayaratne said most Sri Lankan companies are still indulged in a reactive mode when it comes to addressing cyber threats.

“I have seen that many companies wait till something happens to their systems and data. If you want to safeguard your data, companies have to look at a proactive approach than a reactive approach. Top management of a company also needs to be aware about security and put proper mechanisms in place. In a number of cases I have encountered, many local CEOs look to skip that part of the conversation. Companies need to identify the true need of doing a security assessment; most of the time, companies have been pushed to do a security assessment because of compliances put out by regulators. Compliances don’t give you security but if you are serious about safeguarding your data, you need to hire a professional and check whether someone from outside could penetrate your system.”

Boshan mentioned that after giving a comprehensive report on security issues with a proper solution to remediate existing problems, many companies tend to lock away those reports in a locker without even properly assessing the situation. “When we come next year, we find the same vulnerabilities remain because people were not keen enough to go through a report,” said Boshan.

CICRA has also found out few incidents where the top management firing employees of the IT department, after a security report has reached the board level of an organisation. “This is a wrong approach, especially on the management level. When we walk in to the organisation, the IT department will be sacred and at one instance, IT employees of a certain organisation blocked certain parts of the system where we could not access. A company pays us and we come and expose the vulnerabilities; it is not to find fault with your employees but a find solution to address issues, Boshan alluded further.

Understanding ICS weaknesses is important

Explaining the vulnerabilities which lie in industrial control systems (ICS), US-based Bayshore Networks Senior Director for Industrial Control Systems Dr. Vincent Turmel said ICS weaknesses can be found everywhere because they were designed based on open controls and old-fashioned industry designs.

“Cyber-attacks on critical infrastructure are becoming severe and harder to detect year after year, which often results in cyber security changing into a central concern amongst industry players and governments. Attacks on critical infrastructure, as most of the cyber-attacks aim to disrupt industrial activity for several reasons, but unlike ordinary cyber-attacks consequences might be much more severe in case of industrial control systems.”

“Cyber criminals take advantage of following loopholes to research and initiate attacks: Lack of encryption and authentication, backdoors and “holes” in the network perimeter, devices with little or no security features, database security vulnerabilities, insecure coding techniques in product design and lack of control mitigation technologies,” Dr. Vincent pointed out.

“It’s not a secret that there is great competition in industry. Organisations often use insiders and sometimes turn own employees against the company to acquire secret information form adversaries by means of clandestine and secret operations. Then you have hackers who would break into your system either to gain fame in community or for financial gain.”

“Many organisations tend to think that they are not a target of any group. You may be wrong and you never know what weakness lie in your systems where a cyber-attack could topple your organisation. A clear understanding of the common weaknesses in ICSs helps corporate boards, executives and security officers engage in knowledgeable conversation about security, ask discerning questions, and make sound investments,” Dr. Vincent said at the forum.